A common piece of advice from the Simeio team to major enterprises is the importance of maintaining proactive regulatory readiness. As one of the largest markets in the world, the activities of the European Union (EU) are of global importance. The EU has lacked a standardized set of meaningful cybersecurity requirements. At present, a universal set of identity security requirements across all industries has yet to materialize. However the implementation of the Digital Operational Resilience Act (DORA), in the EU, seeks to start making headway in the financial sector.
DORA marks a stark shift away from how the EU has handled financial sector cybersecurity in the past. As such, companies affected by the new standards must swiftly assess their existing identity fabric and amend it to comply. The labyrinth of new regulations often proves difficult to navigate. Fortunately, Simeio has provided a primer for those interested in what DORA means for them. Strict cybersecurity regulations don’t need to be a burden. Rather, with the right identity management partner, oranisations have an opportunity to boost ROI and defend against very real threats.
What is DORA and Why was It Implemented?
Prior to DORA, EU-based financial enterprises handled risk management by being big enough to ignore it. Did a company have enough money to cover the damages of a breach event? If so, that was good enough in the eyes of the EU regulators. Cybersecurity standards only existed in the form of unevenly applied guidelines rather than concrete regulations. This situation unfairly benefited “too-big-to-fail” companies while also not accomplishing any actual protection for clients’ data.
However, concerned parties argued that this lack of cybersecurity put the entire financial system of the EU in jeopardy. Subsequently, DORA was created and passed to move from liability coverage into actual data security readiness. The regulation sets down strict and precise standards and regulations for data protection, threat detection, incident containment, and remediation. Information and communication technology (ICT) service providers must comply with these requirements by January 17th, 2025. Potential penalties for noncompliance are steep, adding to the urgency of implementation. These include up 1% of the provider’s average daily worldwide turnover in fines, per day.
DORA has a few differences from the Network and Information Security Directive (NSIT2), currently the most referenced EU cybersecurity regulation. Foremost, NSIT2 is a directive, not a set of laws. NSIT2 compels member states to draft their own laws to fulfill cybersecurity objectives. Conversely, DORA imposes blanket and uniform regulations. Furthermore, NSIT2 broadly applies to all digital businesses in the EU, while DORA homes in on the financial sector specifically. Financial enterprises must ensure their cybersecurity strategies account for both DORA and their local nation’s laws which were shaped by the NSIT2 directive.
What do Companies Need to Do to Comply?
While the precise details of DORA are complex, they can be succinctly broken down into one of four domains. These include internal risk management/governance, incident response and reporting, operational resilience testing, and risk management of third-party vectors.
- Risk management and governance: Businesses must employ comprehensive risk management frameworks. This includes a full map of their systems identifying critical assets. This assessment must include regular testing which identifies cyberthreats and outlines response plans to deal with them.
- Incident remediation: Enterprises must maintain systems for monitoring, managing, logging, classifying and reporting cybersecurity incidents. This includes sending reports to affected clients and partners as well as relevant regulatory bodies. Three kinds of reports are specified: an initial report notifying authorities, an intermediate report on remediation progress, and a debrief analyzing the cause and timeline of the incident.
- Resilience testing: Enterprises must execute vulnerability assessments and scenario drills at least once a year. Entities identified as key players in the EU’s financial system are subject to additional threat-led penetration testing (TLPT) every three years. DORA mandates that the enterprise’s critical ICT providers participate in these tests.
- Third-party vectors: When outsourcing critical and important functions, financial entities must negotiate specific contractual arrangements regarding exit strategies, audits and performance targets for accessibility, integrity and security, among other things. DORA forbids enterprises from contracting with ICT entities unable to meet these requirements.
How can Simeio’s Solutions Fulfill DORA Compliance?
DORA specifically mandates the implementation of identity and access management (IAM) as well as detection and response systems. EU-based financial institutions face one of two options. Either they attempt an internal implementation of complicated high-stakes systems, or they bring on identity experts who can provide an optimized assessment, implementation, and maintenance strategy. Simeio supports the exact kind of assessment mandated by DORA’s governance clauses. Not only does the maturity benchmark identify deficiencies in cybersecurity, but it also provides insights on efficiency and useability improvements.
Automated monitoring systems are part of Simeio’s managed services, and the Simeio team isn’t satisfied until they fully resolve a client’s pain points. Thus, the team implements a fine-tuned monitoring solution tailored to satisfy DORA requirements and other relevant regulations. This even extends to third-party vectors, with the Simeio team designing strict role-based access controls for third-party users. The team further supplements this system through continuous monitoring. This ensures that any suspicious activity is detected and halted.
Simeio’s managed services identify all regulatory requirements during the initial assessment, including ongoing efforts in the long term. Simeio can serve as both the testing team carrying out mandated reviews and also design systems to make the process as painless as possible. This is the case for enterprise audits, with automated data collection and organizational systems making audits quick, easy, and with the best results possible.
Interested in the Simeio team’s DORA fulfillment capabilities for your enterprise? Contact a Simeio identity expert now.
